W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Password generation classes

From: John Wong <gokoproject@gmail.com>
Date: Wed, 30 Sep 2015 11:47:01 -0400
Message-ID: <CACCLA54UuuXdPXmy5wCFqdy5P0x0SLSVEyUOm=Raj00wV+n2bA@mail.gmail.com>
To: Jonathan Kingston <jonathan@jooped.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 30, 2015 at 5:57 AM, Jonathan Kingston <jonathan@jooped.com>
wrote:
>
> The credential manager would also have the ability to inform users of
> applications using weak credentials for longer time periods than suggested.
>
>
> ---
>
> This might for example look like:
>
> navigator.credentials.get({ "password": true, credentialClass: 2 })
>
> A application would inform the credential manager what class of credential
> they require, this prevents the credential manager sending things that the
> app can't cope with however also prevents the site making bad choices.
>
>

This is where confuses me, and excuse if it is clear to others. How should
CM prevent the site from making bad choices?
I think the first part is like handshake where we exchange, negotiate and
agree upon something. But maybe we have to be careful with negotiation - if
WG says these are the only classes UA supports. At least there should be an
option in the browser to bypass the negotiation so it makes testing easy
(maybe I want to test weak password).

John
Received on Wednesday, 30 September 2015 15:47:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC